Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Piracy XBox (Games) PlayStation (Games) The Internet Entertainment Games Technology

2.5 Million Xbox and PlayStation Gamers' Details Have Been Leaked From Piracy Forums (thenextweb.com) 36

Xbox360ISO.com and PSPISO.com have been hacked by an unknown attacker in late 2015 and the details of the 2.5 million users affected have been leaked online. The leaked information contains email addresses, IP addresses, usernames and passwords. The Next Web reports: It seems that the operator of these sites did nothing to protect the latter, as all passwords were "protected" using the MD5 hashing system, which is trivially easy to overcome. For reference, that's the same hashing system used by LinkedIn. As the names of these sites imply, they were used to share pirated copies of games for Microsoft and Sony's gaming platforms. They also both have a thriving community where people discussed a variety of tech-related topics, including gaming news and software development. If you think you might have had an account on these sites at one point, and want to check if you were affected, you can visit Troy Hunt's Have I Been Pwned. If you have, it's worth emphasizing that anyone who gained access to that site, and anyone who has since downloaded the data dump, will be able to discern your password. If you've used it on another website or platform, you should change it.
This discussion has been archived. No new comments can be posted.

2.5 Million Xbox and PlayStation Gamers' Details Have Been Leaked From Piracy Forums

Comments Filter:
  • by WolfgangVL ( 3494585 ) on Wednesday February 01, 2017 @08:10PM (#53785187)

    From this totally wholesome-on-the-up-and-up site. Color me surprised. This is why we use throw away email addys for this sort of thing kids.

  • I clicked on some white space below the story, as I was working in another program on my other screen.

    It took me to the "Have I been Pwned?" site

    NONONONONONONONONONONONONO!!!!! Do not fucking do this Slashdot! This is not funny! This is not appropriate. You want to take me to another website after clicking on white space? What the sleazy clickbit malware satan in hell are you doing?P NO! Bad Slashdot! Evil Slashdot. Stop it. This will not do. We are not amused.

    Other than that, I have no strong fe

    • Agree, but I'd start closer to home: if, like me, you're dumb enough to browse Slashdot with no ad-blocker, the 'Sponsored Links' shown on the homepage are as scummy as clickbait gets.

      • Agree, but I'd start closer to home: if, like me, you're dumb enough to browse Slashdot with no ad-blocker, the 'Sponsored Links' shown on the homepage are as scummy as clickbait gets.

        This is weird, as I'm blocking ads, and scripts. They musta found a way around it that needs fixed.

  • Not a surprise (Score:4, Interesting)

    by gweihir ( 88907 ) on Wednesday February 01, 2017 @08:34PM (#53785291)

    The number of times I have had to explain to customers how to do password storage right is staggering. Most still believe a single hash is enough (well, to be fair, for a high-entropy password it is). Some have at least heard of salting the hash. But as soon as you come to iteration, most are clueless, and if you put in things like a large-memory-property (to prevent brute-forcing by FPGAs and graphics-cards), you have lost them completely. Many people just stop learning when there is no direct need to and these are the same people that in many cases write security-critical software.

    On the other hand, PBKDF2 has been available since 2000, packing hashing, iteration and salting in a nice package. And Argon2 now adds large memory and other nice properties and essentially solves the problem. People just seem to be completely unaware of this.

    • The number of times I have had to explain to customers how to do password storage right is staggering. Most still believe a single hash is enough (well, to be fair, for a high-entropy password it is). Some have at least heard of salting the hash...

      Ah yes, salting. A concept I read about over two decades ago in my O'Reilly SysAdmin book. I agree with you, sure is frustrating when those writing software these days act like good security is some newfangled concept we're still waiting for cold fusion to provide.

      On the other hand, PBKDF2 has been available since 2000, packing hashing, iteration and salting in a nice package. And Argon2 now adds large memory and other nice properties and essentially solves the problem. People just seem to be completely unaware of this.

      Given the prevalence of humans using 123456 as a "password", it's not that people are unaware; they simply don't give a shit enough to care.

      • by gweihir ( 88907 )

        On the other hand, PBKDF2 has been available since 2000, packing hashing, iteration and salting in a nice package. And Argon2 now adds large memory and other nice properties and essentially solves the problem. People just seem to be completely unaware of this.

        Given the prevalence of humans using 123456 as a "password", it's not that people are unaware; they simply don't give a shit enough to care.

        Well, my customers come from industries that should care, but yes, that is decidedly one of the roots of the problem.

        Doing password storage badly needs to be classified by default as gross negligence and result in severe personal consequences for those that have done it, just the same as gross malpractice. It is regrettable that this may mean formal engineering qualification requirements or the like for people implementing password-handling software, but apparently the industry is completely unable to regul

      • Given the prevalence of humans using 123456 as a "password"

        That's amazing! I've got the same combination on my luggage!

      • by tlhIngan ( 30335 )

        Given the prevalence of humans using 123456 as a "password", it's not that people are unaware; they simply don't give a shit enough to care.

        It depends.

        If it's a user on a forums, "123456" or "password" may be perfectly legitimate to use. I use them on sketchy websites I don't care if the account gets pwned - they get a junk email address and a junk password - big whoop. You want to post as me? Go right ahead since I signed up to log in once and forgot all about it.

        If it's the admins, then it's a bigger prob

  • Clickbait title (Score:3, Insightful)

    by wept ( 128554 ) on Wednesday February 01, 2017 @08:41PM (#53785343)

    Worst.

    • by Toth ( 36602 )

      Yeah it is clickbaity but it's accurate.
      Yes the hack was over a year ago but the "news" is that it was made widely available about three days ago.

  • Wrong Headline (Score:4, Insightful)

    by Osgeld ( 1900440 ) on Wednesday February 01, 2017 @08:47PM (#53785379)

    2.5 million game pirates had their information leaked from a sketchy ass website over a year ago and now are acting offended someone may steal from them

  • by thesandbender ( 911391 ) on Wednesday February 01, 2017 @08:50PM (#53785399)
    I started to type up a rant about how this headline was completely misleading... but instead I'll just same "I'm done".

    /screw you guys, I'm going home.
  • The problem lies in not using a salt, not in using MD5.
    • The problem lies in not using a salt, not in using MD5.

      If a three-digit combination lock protecting a safe needs a bodyguard standing next to it to ensure no one steals anything, then using a shitty lock is in fact the problem, especially since few choose to spice up their recipe when cooking up a security model.

  • If you can't trust a piracy forum to protect your online details then who can you trust?

To program is to be.

Working...